Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

REvil Ransomware Operations Apparently Unaffected by Recent Arrests

The REvil (Sodinokibi) ransomware cooperative’s activity has not slowed down following Russia’s recent move to arrest several alleged members of the group, according to threat intelligence company ReversingLabs.

The REvil (Sodinokibi) ransomware cooperative’s activity has not slowed down following Russia’s recent move to arrest several alleged members of the group, according to threat intelligence company ReversingLabs.

Two weeks have passed since Russia’s law enforcement agency FSB announced the takedown of the REvil group “at the request of US authorities,” but the ransomware-as-a-service (RaaS) enterprise remains as active as before.

After long being accused of allowing cybercriminals to proliferate within its borders – as long as Russian nationals or organizations are not hurt – Russia appeared set to send a different message with the arrest of 14 members of the REvil gang, even if some saw it as a political move – amidst the increasing tensions at the Ukraine border.

However, as ReversingLabs points out, the high-profile arrests of affiliates did not put a dent in REvil operations. In fact, the group is continuing operations at the very same pace as just before the arrests.

[ READ: Five Key Signals From Russia’s REvil Ransomware Bust ]

In November 2021, Europol announced the arrest of seven individuals involved in the proliferation of REvil and GandCrab ransomware attacks (the arrests were made over a period of 7 months), at which time ReversingLabs was seeing an average of 47 new REvil implants daily (326 per week).

That number was higher compared to September (43 new implants per day – 307 per week) and October (22 new daily implants – 150 per week), but much lower compared to July (87 daily – 608 per week), when the group went offline.

Following Russia’s arrests, the number of observed REvil implants increased from 24 per day (169 per week) to an average of 26 implants a day (180 per week).

Advertisement. Scroll to continue reading.

“While it’s true that more time may be needed to assess the full impact of the arrests on REvil’s activity, the data so far would suggest that it is ‘business as usual’ for the ransomware gang,” ReversingLabs notes.

[READ: Dark Web Chatter: What Other Russian Hackers

Are Saying About the REvil Arrests ]

“Threat groups exploit regionalised regulation, and distributed organizational structure with sovereign state safehousing, all while leveraging a ‘no-rule’ borderless attack strategy. That makes it ever harder for national and international criminal policing organizations to put an end to threat groups such as REvil,” ReversingLabs senior threat researcher Andrew Yeates says.

While coordinated action against REvil infrastructure may have had short-term impact on the RaaS’s prevalence, much stronger action is needed to indeed halt the cybercrime ring’s activities, especially given the corporation-like structure of the group, where affiliates are launching attacks and receiving payments.

Thus, eliminating only affiliates doesn’t take down the core of the RaaS and allows it to continue operations. On the other hand, if only the core is eliminated, affiliates can either rebuild the enterprise or migrate to a different RaaS, and this is true for other similar cybercriminal organizations as well.

Related: SecurityWeek Cyber Insights 2022: Ransomware

Related: REvil Ransomware Gang Hit by Law Enforcement Hack-Back Operation

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Ransomware

A SaaS ransomware attack against a company’s Sharepoint Online was done without using a compromised endpoint.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.